Safe Code for Signature Updates in an Intrusion Prevention System

1. In a computing environment, a method comprising: obtaining, by an engine, a signature including executable logic for detecting the signature and a state machine for tracking a state of a protocol defined by the executable logic of the signature, wherein the signature is authored in a definition language of safe constructs; obtaining one or more expressions from the signature through providing the one or more expressions from the executable logic to a protocol analyzer associated with the engine; causing a safe compiler to compile the signature into safe source code; causing the safe source code to be compiled into intermediate language code; causing an interpreter to interpret the intermediate language code to determine that the executable logic of the signature is signed by a publisher; causing the interpreter to generate tokens by parsing network traffic according to one or more expressions obtained from the executable logic; sending the generated tokens to the state machine of the signature; allowing the state machine of the signature to use the generated tokens to track the state of the protocol as the network traffic is processed by the engine; receiving a detected pattern of content from the state machine based on the tokens used by the state machine; and responsive to receiving the detected pattern of content from the state machine based on the used tokens, iteratively providing a next group of one or more expressions to evaluate that are received from the executable logic to the protocol analyzer until an expression match is found.

2. The method of claim 1 further comprising: obtaining the one or more expressions from the executable logic, wherein obtaining the one or more expressions further comprises interpreting the intermediate language.

3. The method of claim 1 further comprising: outputting an indication when the signature has been detected.

4. In a computing environment, a system comprising: a network traffic evaluation engine configured to evaluate network traffic to determine if a signature is matched, the network traffic evaluation engine executing logic to: obtain the signature to match, the signature comprising executable logic and a state machine for tracking a state of a protocol defined by the executable logic of the signature; a safe compiler configured to compile the executable logic into source code and validate that the source code comprises safe code; an intermediate compiler configured to compile the source code into intermediate language of the executable logic; a generic protocol analyzer configured to receive an expression set from the executable logic from the network traffic evaluation engine and execute logic to: generate one or more tokens by parsing the network traffic according to the received expression set to detect whether the expression set is matched; and send the generated tokens to the state machine of the signature via the network traffic evaluation engine to allow the state machine to use the generated tokens to track the state of the protocol; the network traffic evaluation engine further configured to execute logic to: cause an interpreter to verify that the intermediate language of the executable logic comprises only valid operations; obtain a detected pattern of content from the state machine based on the tokens used by the state machine; and iteratively providing a next group of tokenized versions of one or more expressions to the state machine to evaluate until an expression match is found.

5. The system of claim 4 further comprising a compiler configured to produce the executable logic corresponding to the signature.

6. The system of claim 5 wherein the compiler is further configured to produce source code from a signature definition language.

7. The system of claim 5 wherein the compiler includes a first level that is configured to provide source code from a signature definition language, and a second level that is configured to provide intermediate language or machine code from the source code.

8. The system of claim 4 wherein the generic protocol analyzer is further configured to execute logic to: output an indication that the signature is detected.

9. The system of claim 4 wherein the network traffic evaluation engine includes an application programming interface (API) set by which the executable logic sets or gets, or both sets and gets, at least one variable maintained by the evaluation engine.

10. The system of claim 4 wherein the network traffic evaluation engine includes an API set by which the executable logic controls execution of the network traffic evaluation engine.

11. One or more computer storage memory having computer-executable instructions stored thereon, which in response to execution by the computer, cause the computer to perform operations, comprising: receiving a signature that includes executable logic for detecting the signature in network traffic and a state machine for tracking a state of a protocol defined by the executable logic of the signature, wherein the signature is authored in a definition language of safe constructs; causing a safe compiler to compile the signature into safe source code; causing the safe source code to be compiled into intermediate language code; causing an interpreter to interpret the intermediate language code to determine that the executable logic included in the signature is signed by a publisher; generating one or more tokens by parsing the network traffic according to a first expression set received from the executable logic; sending the generated tokens to the state machine of the signature to track the state of the protocol using the generated tokens; iteratively detecting whether the generated tokens corresponding to the network traffic matches the first expression set received from the executable logic until an expression match is found; and responsive to a detection that the generated tokens corresponding to the network traffic matches the first expression set, notifying the executable logic and receiving a second expression set to match or a communication indicating that the signature is detected.

12. The one or more computer storage memory of claim 11 wherein the executable logic of signature is described in a definition language, the definition language is compiled into source code, and the source code is compiled into intermediate code.

13. The one or more computer storage memory of claim 12 wherein communicating with the executable logic comprises interpreting the intermediate code.

14. The one or more computer storage memory of claim 11 having further computer-executable instructions stored thereon, which in response to execution by the computer, cause the computer to perform further operations comprising: receiving a function call to set a variable, receiving a function call to get a variable, and receiving a function call to buffer data.

15. The one or more computer storage memory of claim 11 further comprising: providing the first expression set received from the executable logic to a protocol analyzer for evaluation; processing the network traffic to determine a match between each network packet token and the first expression set; and responsive to a determination that the each network packet token does not match, discarding the each network packet token.

16. The one or more computer storage memory of claim 11 further comprising: providing the first expression set received from the executable logic to a protocol analyzer for evaluation; processing the network traffic to determine a match between each network packet token and the first expression set; and responsive to a determination that the each network packet token does not match, buffering one or more of the each network packet token.